CN103984908A - South bridge chip and application method thereof - Google Patents

South bridge chip and application method thereof Download PDF

Info

Publication number
CN103984908A
CN103984908A CN201410186552.6A CN201410186552A CN103984908A CN 103984908 A CN103984908 A CN 103984908A CN 201410186552 A CN201410186552 A CN 201410186552A CN 103984908 A CN103984908 A CN 103984908A
Authority
CN
China
Prior art keywords
computer system
processor
south bridge
bridge chip
safe condition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410186552.6A
Other languages
Chinese (zh)
Other versions
CN103984908B (en
Inventor
景蔚亮
封松林
陈邦明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Xinchu Integrated Circuit Co Ltd
Original Assignee
Shanghai Xinchu Integrated Circuit Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Xinchu Integrated Circuit Co Ltd filed Critical Shanghai Xinchu Integrated Circuit Co Ltd
Priority to CN201410186552.6A priority Critical patent/CN103984908B/en
Publication of CN103984908A publication Critical patent/CN103984908A/en
Application granted granted Critical
Publication of CN103984908B publication Critical patent/CN103984908B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a south bridge chip and an application method thereof and belongs to the technical field of computer system security. The south bridge chip comprises a detection unit, a processing unit and a state setting unit, wherein the state setting unit is connected with an external input unit and is respectively connected with the detection unit and the processing unit. The application method comprises the following steps of acquiring an external input instruction; setting the computer system to be positioned in a first-stage security state during normal work according to an instruction; setting the computer system to be positioned in a second-stage security state in which the detection unit is started according to the instruction; setting the computer system to be positioned in a third-stage security state in which the processing unit is started according to the instruction. The technical scheme has the beneficial effects that the damage to the computer system due to an illegal instruction or harmful data from internet is avoided; meanwhile, working performances of the computer system are maintained to a certain degree; in addition, the south bridge chip is simple in realization and is lower in cost.

Description

A kind of South Bridge chip and application process thereof
Technical field
The present invention relates to computer system security technical field, relate in particular to a kind of South Bridge chip and application process thereof.
Background technology
Along with extensively popularizing of scientific-technical progress and internet, national security especially national information safety has become more and more important.The little service terminal to personal computer and enterprise-level, arrives greatly the computer system of community service industry, and whole national security system, is all likely subject to the attack from disable instruction or harmful data of internet.Further, due to the current process chip of country and supporting computer hardware development ripe not enough, for the consideration in performance, in general computer system, no matter be to use or use as enterprise or country as individual, all can adopt external high-performance treatments chip.But these process chip, have likely added different " safe back door " programs therein.So-called " safe back door ", refer to and in process chip or storer, leave some hiding unused codes or harmful data, assailant can send some activation instructions by internet and activate these " safe back doors ", thereby utilizes these " safe back doors " to reach the object of the normal work of destruction of computer systems.Because these " safe back doors " can fire conventionally in process chip or storer, under normal duty, user is difficult to find or cannot find at all these disable instructions or harmful data, and abandon external high-performance treatments chip, can cause the decline in computer system usability again.
Chinese patent (CN1520537) discloses a kind of methods, devices and systems that can closing back door access mechanism.Processor comprises the first register, and this register is set for and can be stored one or more hardware debug test (hardware-debug-test, HDT) activating positions; The first steering logic being connected is to receive a plurality of HDT input signals; And the second steering logic being connected with the first register.The connected mode of the first steering logic makes it can access the first register, and the second steering logic is arranged in, the first register is interior stores one or more default values to respond the replacement of this processor.Another one processor comprises that the first connected steering logic is in order to receive a plurality of microcode inputs; The first register being connected with the first steering logic; And the second steering logic being connected with the first register.The first register is set for and is made it can store one or more microcode load device activating positions, and the second steering logic is set the one or more default values of storage in the first register, with the replacement of answer processor.Technique scheme relates generally to the improvement to process chip inside, but for external high performance process chip, the storage organization that it is inner and processor architecture are conventionally externally also underground, user also not necessarily possesses the technical ability of relevant change processor architecture, so technique scheme be not suitable for solution problems of the prior art.
Summary of the invention
According to the defect existing in prior art, a kind of South Bridge chip and application process thereof are now provided, specifically comprise:
A South Bridge chip, is integrated in computer system, and described computer system comprises processor and storer, and described computer system is with the first operating system work; Wherein, described South Bridge chip is connected between described processor and described storer;
Described processor obtains the data of external network input by described South Bridge chip, and is stored in the data in described storer;
Described South Bridge chip comprises:
Detecting unit, for detection of the security of the data that send to described processing unit;
Processing unit, carries out data processing and the transfer function of described computer system for substituting described processor;
State set unit, connect an outside input block, and connect respectively described detecting unit and described processing unit, for the steering order of inputting according to described input block, the safe condition of described computer system is set to the first order safe condition of the normal work of computer system, or the second level safe condition of enable detection unit, or enable the third level safe condition of described processing unit.
Preferably, this South Bridge chip, wherein, described state set unit, when described computer system is set in described third level safe condition, is closed described processor.
Preferably, this South Bridge chip, wherein, also comprises:
The first storage unit, connects described processing unit, for preserving a second default operating system;
Described the second operating system is lowered in order to control described computer working at described third level safe condition for described processing unit;
Preferably, this South Bridge chip, wherein, is preset with a plurality of executable instructions in described processor;
Described the first operating system is called by described processor under the safe condition of the described second level;
Described South Bridge chip also comprises:
Addressing interception unit, runs under described the first operating system, for the corresponding storage address information of a plurality of described executable instruction that defaults in described processor of needs shielding is set as to suspicious storage address information, and
The storage address information that the addressing request that is sent to described processor is comprised is mated with described suspicious storage address information, and interception is matched with the described addressing request of described suspicious storage address information.
An application process for South Bridge chip, described South Bridge chip is integrated in computer system, and described computer system comprises processor and storer, and described computer system is with the first operating system work; Wherein, described South Bridge chip is connected between described processor and described storer;
Described processor obtains the data of external network input by described South Bridge chip, and is stored in the data in described storer;
Described South Bridge chip comprises:
Detecting unit, for detection of the security of the data that send to described processing unit;
Processing unit, carries out data processing and the transfer function of described computer system for substituting described processor;
The application process of described South Bridge chip specifically comprises:
Step S1, obtains the outside instruction of inputting;
Step S2, is set under the first order safe condition in normal work according to the described computer system of described instruction;
Step S3, is set in starting under the second level safe condition of described detecting unit according to the described computer system of described instruction;
Step S4, is set in starting under the third level safe condition of described processing unit according to the described computer system of described instruction.
Preferably, the application process of this South Bridge chip, wherein,
In described step S2, described computer system adopts one first operating system to work under described first order safe condition;
In described step S3, described computer system adopts described the first operating system to work under the safe condition of the described second level;
In described step S4, described computer system adopts one second operating system to work under described third level safe condition.
Preferably, the application process of this South Bridge chip, wherein, in described step S4, under described third level safe condition, described processor is closed, and described processing unit substitutes described processor work.
Preferably, the application process of this South Bridge chip, wherein, is preset with a plurality of executable instructions in described processor;
Adopt described the first operating system that the corresponding storage address information of a plurality of described executable instruction defaulting in described processor of needs shielding is set as to suspicious storage address information;
Described step S3 specifically comprises:
Step S31, is arranged at described computer system under the safe condition of the described second level according to described instruction;
Step S32, controls described computer system according to described instruction and enables described addressing interception unit;
Step S33, is set as suspicious storage address information by the described addressing interception unit running in described the first operating system by the corresponding storage address information of a plurality of described executable instructions;
Step S34, detects and to be sent to the storage address information that the addressing request of described processor comprises and whether to be matched with described suspicious storage address information:
If the described storage address information that described addressing request comprises is matched with described suspicious storage address information, go to step S35;
If the described storage address information that described addressing request comprises does not match described suspicious storage address information, return to described step S34;
Step S35, tackles described addressing request, and returns to described step S34.
The beneficial effect of technique scheme is: avoid disable instruction or the infringement of harmful data to computer system from internet, simultaneously keep to a certain extent the serviceability of computer system, and realize fairly simplely, cost is lower.
Accompanying drawing explanation
Fig. 1 is in preferred embodiment of the present invention, and a kind of South Bridge chip is applied to the structural representation in computer system;
Fig. 2 is in preferred embodiment of the present invention, a kind of structural representation of South Bridge chip;
Fig. 3-4th, in preferred embodiment of the present invention, the schematic flow sheet of South Bridge chip application process.
Embodiment
Below in conjunction with the drawings and specific embodiments, the invention will be further described, but not as limiting to the invention.
In preferred embodiment of the present invention, be illustrated in figure 1 a kind of South Bridge chip 1, be arranged in the mainboard A of computer system.Conventionally on mainboard A, also comprise processor 2, storer 3 and north bridge chips 21.In prior art, north bridge chips is connected between processor 2 and South Bridge chip 1, South Bridge chip 1 is gone back connected storage 3.
Conventionally, in computer system, north bridge chips 21 is main to be responsible for and the contacting of processor 2, and control internal memory, be responsible for AGP (Accelerated Graphic Ports, PC graphic interface) data are in north bridge internal transmission, provide the type of processor and dominant frequency, the front-side bus frequency of system, supports such as the type of internal memory and max cap., AGP slot, ECC error correction (Error Correcting Code, bug check and correction).And South Bridge chip 1 is gone back connected storage 3, and comprise the interface being connected with external network 4, be mainly used in being responsible for the communication between I/O bus, comprise data and the instruction of external network transmission, and the data of calling from storer and instruction are sent to processor 2.
Along with development in science and technology, the mainboard A in computer system need to do more and more meticulouslyr, and it is more and more less that volume becomes, and an integrated large-scale north bridge chips and large-scale South Bridge chip obviously do not meet the requirement of mainboard miniaturization in mainboard.Therefore, common way be by relatively near the major part in the north bridge chips 21 of processor even repertoire be integrated in (as shown in Figure 1) in processor chips 2, the residue function that is not incorporated into the north bridge chips in processor chips 2 is shared by South Bridge chip 1, therefore in prior art, traditional South Bridge chip 1 passes through above-mentioned improvement, the platform that is otherwise known as is controlled hub (Platform Controller Hub, or integrated south bridge PCH).Therefore, the mainboard framework of whole computer system has just been simplified, and process also can be done less and less, meets gradually the requirement of modern mainboard miniaturization.
In preferred embodiment of the present invention, as shown in Figure 2, above-mentioned South Bridge chip 1 specifically comprises:
Detecting unit 11, for detection of the security that is sent to the data of processor 2, particularly, whether the data and the instruction that for detection of external network 4 or storer 3, to processor 2, send have safety issue.In preferred embodiment of the present invention, so-called safety issue, is generally to judge whether whether it is malicious instructions, for example, comprise the instruction of control system automatic shutdown.In preferred embodiment of the present invention, when detecting the data that sent to processor 2 by external network 4, detecting unit 11 may damage computer system, or the data that processor 2 calls from storer 3 detected and may damage computer system, these data of detecting unit 11 interception, to guarantee that processor 2 normally works.
Processing unit 12, for replacing processor 2 to carry out work when processor 2 quits work.In preferred embodiment of the present invention, above-mentioned processor 2 is the processor chips that computer system adopts conventionally, can think external high-performance processor chip.But in this class high-performance processor chip, may include some artificial " safe back doors " that arrange, more for example, default in some malicious instructions in processor chips.When by external network or by calling the instruction being stored in storer while activating the above-mentioned malicious instructions defaulting in processor chips, may cause certain destruction to whole computer system.Therefore,, in the situation that some level of securitys are higher, adopt a kind of processor chips without embedded " safe back door " (being processing unit 12) to replace high-performance processor chip (being processor 2) work originally.In preferred embodiment of the present invention, due to not embedded malicious instructions in processing unit 12, and further, in order to prevent producing new malicious instructions by splicing and combining of some command content, not embedded certain base instruction in above-mentioned processing unit 12, so the more traditional processor 2 of the processor performance of this processing unit 12 is low.In the situation that some safe classes are higher, in preferred embodiment of the present invention, by some handling properties of suitable sacrifice, guarantee the safe operation of computer system.
State set unit 13, the input block 5 of connection one outside, for obtaining the steering order of outside input.In preferred embodiment of the present invention, state set unit 13 also connects respectively detecting unit 11 and processing unit 12, and connects above-mentioned processor 2.When state set unit 13 receives after above-mentioned steering order, according to different steering order computer systems, be set under corresponding safe condition.Be specially:
In preferred embodiment of the present invention, state set unit 13 receives steering order computer system and is set in first order safe condition lower time, state set unit 13 is controlled computer systems and is normally worked, now detecting unit 11 and processing unit 12 all in disable state.
In preferred embodiment of the present invention, state set unit 13 receives steering order computer system and is set in second level safe condition lower time, state set unit 13 start detection unit 11, detecting unit 11 is now in enabled state, and processing unit 12 is still in enabled state not.Detecting unit 11 is started working, and detects and tackle the disable instruction or the harmful data that are sent to processor 2.
In preferred embodiment of the present invention, state set unit 13 receives steering order computer system and is set in third level safe condition lower time, state set unit 13 starts processing unit 12, now processing unit 12 is in enabled state, and replace processor 2 work, to support whole computer system, normally move.
Further, in preferred embodiment of the present invention, in the time of under above-mentioned third level safe condition, first state set unit 13 closes processor 2 before starting processing unit 12.After stopping processor 2, processing unit 12 is activated and replaces processor 2 to work.
In preferred embodiment of the present invention, when above-mentioned computer system is normally moved, adopt one first operating system work.
In preferred embodiment of the present invention, in above-mentioned South Bridge chip, also comprise:
The first storage unit 14, connects above-mentioned processing unit, wherein preserves one second operating system.In preferred embodiment of the present invention, after processing unit 12 is enabled, adopt the second operating system work.Further, in preferred embodiment of the present invention, above-mentioned the second operating system can be the operating system of independent research and development, can be also other operating systems of increasing income.
Further, in preferred embodiment of the present invention, in above-mentioned the first storage unit 14, also preserve for realizing the ultimate system information of system bottom operation.
In preferred embodiment of the present invention, above-mentioned ultimate system information, it is BIOS system information, Basic Input or Output System (BIOS) (Basic Input Output System) information namely, be mainly used in self-check program and system self-triggered program etc. after the start of the system that realizes, the basic setup information that comprises system, major function provides the bottom, the most direct hardware setting and control for computing machine.
In preferred embodiment of the present invention, the advantage that above-mentioned the first storage unit 14 is set is:
1) due to the CMOS process compatible for advanced, and can with external network, between processor 2/ processing unit 12 and Installed System Memory, keep hypervelocity access, simultaneously in order to guarantee the miniaturization of system board A, the first storage unit 14 can be for taking the novel storer of backend process processing procedure, phase transition storage (phase change memory for example, PCM), magnetic store (Magnetic Random Access Memory, MRAM), variable resistance type storer (Resistive Random Access Memory, ReRAM) and ferroelectric memory (Ferroelectric Memory, FeRAM) etc.The memory cell area of above-mentioned novel storer is far smaller than traditional Flash storer, and its scalability is also far superior to traditional Flash storer.
Further, in preferred embodiment of the present invention, owing to having adopted above-mentioned novel storer, therefore promoted the capability of resistance to radiation of the first storage unit 14.
2) if the first storage unit 14 is separated with South Bridge chip and be connected by external interface, be easier to receive external attack, for example bypass attack (Side Channel Attack).When the first storage unit 14 suffers external attack, system essential information wherein may be changed, thereby the startup item of change computing machine and hardware controls etc. work the mischief to computer system.And the first storage unit 14 is integrated in South Bridge chip, can effectively prevent above-mentioned attack, the security of elevator system.
3) the first storage unit 14 is integrated in South Bridge chip 1 rather than by outside serial ports and is connected, can promote the speed that processing unit 12 loads the ultimate system information of preserving in the first storage unit 14, and then promote the toggle speed of computer system.
In preferred embodiment of the present invention, above-mentioned the first storage unit 14 also can be arranged at outside South Bridge chip and by external interface and be connected with South Bridge chip.
In preferred embodiment of the present invention, in processor 2, be preset with a plurality of executable instructions.
When state set unit 13 computer systems were set in second level safe condition lower time, according to different steering orders, state set unit 13 control processors 2 enable to run on the addressing interception unit in the first operating system.
In preferred embodiment of the present invention, the addressing interception unit running in the first operating system is called under the safe condition of the second level for processor, so that the corresponding storage address information of a plurality of executable instructions defaulting in processor of needs shielding is set as to suspicious storage address information;
In preferred embodiment of the present invention, as noted before, default in the executable instruction in processor 2, may be can destruction of computer systems soft hardware equipment malicious instructions.The executable instruction of these malice is also inoperative at ordinary times, but can to processor 2, send specific disable instruction to activate the executable instruction of these malice by external network or internal storage completely, thereby reaches the object of destruction of computer systems.Therefore, in preferred embodiment of the present invention, first utilize the methods such as reverse engineering to find out the memory address of the executable instruction of malice, adopt subsequently the addressing interception unit of moving in the first operating system the memory address of these executable instructions to be set as needing the suspicious memory address of conductively-closed in processor 2.
In preferred embodiment of the present invention, under the safe condition of the above-mentioned second level, when processor adopting the first operating system work, this addressing interception unit is activated, and for obtaining the addressing request that is sent to processor 2.The memory address that addressing interception unit comprises addressing request is mated with the suspicious memory address that needs conductively-closed of setting, and the interception addressing request that the match is successful, comprising the addressing request that has suspicious memory address.
Further, in preferred embodiment of the present invention, through the modes such as above-mentioned reverse engineering, suspicious memory address scope of delimiting a credible instruction in processor 2, and the memory address scope of a suspicious instruction.Certainly, the above-mentioned executable instruction picking out in modes such as reverse engineerings is enumerative, that is to say, the memory address scope of credible instruction and the memory address scope of suspicious instruction are added and are not equal to the memory address scope of preserving executable instruction in whole processor 2.
In preferred embodiment of the present invention, the memory address scope of suspicious instruction needs conductively-closed, therefore first adopt addressing interception unit by the memory address scope shielding of suspicious instruction, with interception, be matched with the addressing request of above-mentioned memory address scope, thereby guarantee that above-mentioned suspicious instruction is not activated.
Further, in preferred embodiment of the present invention, after upgrading is attacked in outside instruction, likely there is following situation: outside attack instruction enables certain part in a credible instruction, and thereby certain part in another credible instruction is combined and forms a new executable instruction, and this new executable instruction forming may be malice.In this case, not only need to shield the memory address scope of suspicious instruction, also need to shield the memory address scope of credible instruction, therefore expand the setting range of suspicious memory address, for the interception of addressing interception unit, be matched with the addressing request of the above-mentioned suspicious memory address being set.
In preferred embodiment of the present invention, owing to having shielded in these cases default executable instruction in most of processors 2, therefore the runnability for processor 2 can produce certain impact.
In preferred embodiment of the present invention, in the time of under second level safe condition or third level safe condition, state set unit 13 receives steering order and requires to switch to first order safe condition, state set unit 13 is closed detecting unit 11 or processing unit 12, and open processor 2 (if now processor 2 is in closed condition), so that computer system is recovered normal operating conditions.
As shown in Figure 3, in preferred embodiment of the present invention, a kind of application process to above-mentioned South Bridge chip, specifically comprises;
Step S1, obtains the outside instruction of inputting;
Step S2, is set under the first order safe condition in normal work according to instruction computer system;
In preferred embodiment of the present invention, under above-mentioned first order safe condition, computer system is normally worked, and detecting unit and processing unit are all in disable state.
In preferred embodiment of the present invention, under above-mentioned first order safe condition, computer system adopts the first operating system work.This first operating system can be the master operating system that computer system is equipped with, for example Windows operating system.
Step S3, is set under the safe condition of the second level of start detection unit according to instruction computer system;
In preferred embodiment of the present invention, under the safe condition of the above-mentioned second level, enable detection unit, processing unit is still in disable state.
In preferred embodiment of the present invention, under the safe condition of the second level, computer system still adopts above-mentioned the first operating system work.
Step S4, is set in starting under the third level safe condition of processing unit according to instruction computer system.
In preferred embodiment of the present invention, under above-mentioned third level safe condition, enable processing unit, and close processor, so that processing unit replaces processor work.
In preferred embodiment of the present invention, under above-mentioned third level safe condition, computer system adopts one second operating system work, and this second operating system can be the operating system of independent research, can be also the (SuSE) Linux OS that other operating systems of increasing income are for example increased income.
In preferred embodiment of the present invention, when computer system is under the safe condition of the second level and while adopting the first operating system work, processor calls addressing interception unit to set a plurality of suspicious memory addresss corresponding to suspicious executable instruction.Subsequently, when having outside addressing request to be sent to processor, first judge comprising memory address whether be matched with suspicious memory address, and interception is matched with the addressing request of suspicious memory address.
Above-mentioned steps specifically comprises:
Step S31, is arranged at computer system under the safe condition of the second level according to instruction;
Step S32, controls computer system according to instruction and enables described addressing interception unit;
Step S33, is set as suspicious storage address information by the addressing interception unit running in the first operating system by the corresponding storage address information of a plurality of executable instructions;
Step S34, detects and to be sent to the storage address information that the addressing request of processor comprises and whether to be matched with suspicious storage address information:
If the storage address information that addressing request comprises is matched with suspicious storage address information, go to step S35;
If the storage address information that addressing request comprises does not match suspicious storage address information, return to step S34;
Step S35, interception addressing request, and return to step S34.
In sum, goal of the invention of the present invention is, by the state set unit being integrated on South Bridge chip, receives the safe condition that the outside steering order of inputting is carried out switching computer system, specifically comprises:
First order safe condition: computer system adopts the first operating system normally to work.
Second level safe condition: enable the detecting unit in South Bridge chip, detect and tackle the disable instruction and/or the harmful data that are sent to processor.Now the overall performance of computer system can't decline, but because detecting unit is in enabled state continuous firing, so the power consumption of computer system may slightly rise.
Under the safe condition of the second level, along with attacking the pernicious of instruction, progressively promote, by enabling addressing interception unit, will need the memory address of executable instruction of the processor internal preset of conductively-closed to be set as suspicious memory address, shielding be subsequently sent to the addressing request that requires these suspicious memory addresss of addressing of processor.Now, owing to having shielded part executable instruction default in processor, therefore can reduce to a certain extent the handling property of processor.
Third level safe condition: enable the processing unit in South Bridge chip, close processor simultaneously, processing unit adopts the second operating system to replace processor work.Now, owing to adopting performance processing unit lower but that safety coefficient is higher to replace high-performance processor chip operation, therefore on handling property, further reduce.Therefore, this safe condition is only just switched and arranges may be subjected to when very serious instruction is attacked, and with the cost of sacrificial section processor performance, builds the computer system running environment that safety coefficient is high.
In preferred embodiment of the present invention, when the possibility of instruction attack is reduced to normal condition, computer system is re-set as under first order safe condition, to close detecting unit and processing unit, open processor, recover the normal work of computer system.
In preferred embodiment of the present invention, above-mentioned addressing interception unit also can example, in hardware be implemented in computer system.
In preferred embodiment of the present invention, above-mentioned the first storage unit 14 also can be independent of South Bridge chip 1 (not shown) is set, and processing unit 12 can be by South Bridge chip 1 access the first storage unit 14.
The foregoing is only preferred embodiment of the present invention; not thereby limit embodiments of the present invention and protection domain; to those skilled in the art; should recognize that being equal to that all utilizations instructions of the present invention and diagramatic content done replace and the resulting scheme of apparent variation, all should be included in protection scope of the present invention.

Claims (8)

1. a South Bridge chip, is integrated in computer system, and described computer system comprises processor and storer, and described computer system is with the first operating system work; It is characterized in that, described South Bridge chip is connected between described processor and described storer;
Described processor obtains the data of external network input by described South Bridge chip, and is stored in the data in described storer;
Described South Bridge chip comprises:
Detecting unit, for detection of the security of the data that send to described processing unit;
Processing unit, carries out data processing and the transfer function of described computer system for substituting described processor;
State set unit, connect an outside input block, and connect respectively described detecting unit and described processing unit, for the steering order of inputting according to described input block, the safe condition of described computer system is set to the first order safe condition of the normal work of computer system, or the second level safe condition of enable detection unit, or enable the third level safe condition of described processing unit.
2. South Bridge chip as claimed in claim 1, is characterized in that, described state set unit, when described computer system is set in described third level safe condition, is closed described processor.
3. South Bridge chip as claimed in claim 1, is characterized in that, also comprises:
The first storage unit, connects described processing unit, for preserving a second default operating system;
Described the second operating system is lowered in order to control described computer working at described third level safe condition for described processing unit.
4. South Bridge chip as claimed in claim 1, is characterized in that, is preset with a plurality of executable instructions in described processor;
Described the first operating system is called by described processor under the safe condition of the described second level;
Described South Bridge chip also comprises:
Addressing interception unit, runs under described the first operating system, for the corresponding storage address information of a plurality of described executable instruction that defaults in described processor of needs shielding is set as to suspicious storage address information, and
The storage address information that the addressing request that is sent to described processor is comprised is mated with described suspicious storage address information, and interception is matched with the described addressing request of described suspicious storage address information.
5. an application process for South Bridge chip, described South Bridge chip is integrated in computer system, and described computer system comprises processor and storer, and described computer system is with the first operating system work; It is characterized in that, described South Bridge chip is connected between described processor and described storer;
Described processor obtains the data of external network input by described South Bridge chip, and is stored in the data in described storer;
Described South Bridge chip comprises:
Detecting unit, for detection of the security of the data that send to described processing unit;
Processing unit, carries out data processing and the transfer function of described computer system for substituting described processor;
The application process of described South Bridge chip specifically comprises:
Step S1, obtains the outside instruction of inputting;
Step S2, is set under the first order safe condition in normal work according to the described computer system of described instruction;
Step S3, is set in starting under the second level safe condition of described detecting unit according to the described computer system of described instruction;
Step S4, is set in starting under the third level safe condition of described processing unit according to the described computer system of described instruction.
6. the application process of South Bridge chip as claimed in claim 5, is characterized in that,
In described step S2, described computer system adopts one first operating system to work under described first order safe condition;
In described step S3, described computer system adopts described the first operating system to work under the safe condition of the described second level;
In described step S4, described computer system adopts one second operating system to work under described third level safe condition.
7. the application process of South Bridge chip as claimed in claim 5, is characterized in that, in described step S4, under described third level safe condition, described processor is closed, and described processing unit substitutes described processor work.
8. the application process of South Bridge chip as claimed in claim 6, is characterized in that, is preset with a plurality of executable instructions in described processor;
Adopt described the first operating system that the corresponding storage address information of a plurality of described executable instruction defaulting in described processor of needs shielding is set as to suspicious storage address information;
Described step S3 specifically comprises:
Step S31, is arranged at described computer system under the safe condition of the described second level according to described instruction;
Step S32, controls described computer system according to described instruction and enables described addressing interception unit;
Step S33, is set as suspicious storage address information by the described addressing interception unit running in described the first operating system by the corresponding storage address information of a plurality of described executable instructions;
Step S34, detects and to be sent to the storage address information that the addressing request of described processor comprises and whether to be matched with described suspicious storage address information:
If the described storage address information that described addressing request comprises is matched with described suspicious storage address information, go to step S35;
If the described storage address information that described addressing request comprises does not match described suspicious storage address information, return to described step S34;
Step S35, tackles described addressing request, and returns to described step S34.
CN201410186552.6A 2014-05-05 2014-05-05 A kind of South Bridge chip and its application process Expired - Fee Related CN103984908B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410186552.6A CN103984908B (en) 2014-05-05 2014-05-05 A kind of South Bridge chip and its application process

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410186552.6A CN103984908B (en) 2014-05-05 2014-05-05 A kind of South Bridge chip and its application process

Publications (2)

Publication Number Publication Date
CN103984908A true CN103984908A (en) 2014-08-13
CN103984908B CN103984908B (en) 2017-03-08

Family

ID=51276872

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410186552.6A Expired - Fee Related CN103984908B (en) 2014-05-05 2014-05-05 A kind of South Bridge chip and its application process

Country Status (1)

Country Link
CN (1) CN103984908B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104460943A (en) * 2014-12-16 2015-03-25 上海新储集成电路有限公司 Energy saving computer system and application method thereof

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030028781A1 (en) * 2001-05-10 2003-02-06 Strongin Geoffrey S. Mechanism for closing back door access mechanisms in personal computer systems
CN100470485C (en) * 2007-05-09 2009-03-18 浙江大学 Method for realizing multiple operation system synergistic working
US8296768B2 (en) * 2007-06-30 2012-10-23 Intel Corporation Method and apparatus to enable runtime processor migration with operating system assistance

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104460943A (en) * 2014-12-16 2015-03-25 上海新储集成电路有限公司 Energy saving computer system and application method thereof
CN104460943B (en) * 2014-12-16 2018-08-28 上海新储集成电路有限公司 A kind of energy-saving computer system and its application process

Also Published As

Publication number Publication date
CN103984908B (en) 2017-03-08

Similar Documents

Publication Publication Date Title
US9135435B2 (en) Binary translator driven program state relocation
CN106850582B (en) APT advanced threat detection method based on instruction monitoring
US10114643B2 (en) Techniques for detecting return-oriented programming
JP5769891B2 (en) Dynamic execution prevention to suppress return-oriented programming
CN104217157B (en) A kind of anti-Application way of leak and system
JP6189039B2 (en) Data processing apparatus and method using secure domain and low secure domain
WO2016064472A1 (en) Attack protection for valid gadget control transfers
TW201506788A (en) Secure boot override in a computing device equipped with unified-extensible firmware interface (UEFI)-compliant firmware
US10503932B2 (en) Secure mode state data access tracking
JP2013515989A (en) Method and system for protecting an operating system from unauthorized changes
US10289570B2 (en) Detecting data corruption by control flow interceptions
US10664178B2 (en) Integrity protection for system management mode
US9965620B2 (en) Application program interface (API) monitoring bypass
US10591980B2 (en) Power management with hardware virtualization
JP6199528B1 (en) Integrated circuit and method for detection of malicious code in a first level instruction cache
CN103984908A (en) South bridge chip and application method thereof
US11144217B2 (en) Data protection method and associated storage device
CN103927477A (en) Safety mainboard and application method thereof
US11914724B2 (en) Systems and methods for adjusting data protection levels based on system metadata
RU2538286C9 (en) Method of launching hypervisor in computer system at early computer booting stage
RU129675U1 (en) COMPUTER TO START A THIN HYPERVISOR IN UEFI AT AN EARLY STAGE OF LOADING A COMPUTER
US9690942B2 (en) SIO device with SPI bus gateway controller for write protection
US8474045B2 (en) Method of detecting program attacks
RU2537814C9 (en) Method of launching hypervisor in computer system at early computer booting stage
CN103984895A (en) Secure computer system and application method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170308